An update on international data privacy protection

David Strom 22 Dec 2022

There are seven common principles that were adopted, all in the interest of serving to the free flow of data across country borders and promoting trust between citizens and their governments.

The 38 member countries of the Organization for Economic Cooperation and Development (OECD) have recently adopted a new international agreement regulating government access to its citizens’ private data. The OECD draws on its membership from countries on several continents, including the US, Israel, Japan, Chile, the Czech Republic, and the UK. The document was released with the rather ungainly title of the “Declaration on Government Access to Personal Data Held by Private Sector Entities.”

The agreement specifically prevents personal data access that is “unconstrained, unreasonable, arbitrary or disproportionate access by members” and has specific references and controls for cross-border access. Amazingly, it has been more than 40 years since the previous OECD data privacy recommendations. This agreement attempts to clarify things and define a common policy framework, especially on what a government says is allowable and what it actually does in practice. 

“Being able to transfer data across borders is fundamental in this digital era for everything from social media use to international trade and cooperation on global health issues. Yet, without common principles and safeguards, the sharing of personal data across jurisdictions raises privacy concerns, particularly in sensitive areas like national security,” said OECD Secretary-General Mathias Cormann.

There are seven common principles that were adopted, all in the interest of serving to the free flow of data across country borders and promoting trust between citizens and their governments:

  1. A binding legal agreement from each member state will serve as the basic building block for cross-border data access.

  2. Access to private information is limited to existing laws and regulations. More importantly, data cannot be obtained for suppressing dissent or specifically targeting individuals.

  3. Human rights requirements are embedded into the data access processes and there are clearly defined emergency exceptions. 

  4. Data can only be accessed by authorized personnel with appropriate privacy measures put in place. 

  5. The legal framework of each member state will be transparent to the public. 

  6. Part of this transparency means that various oversight bodies and other reporting mechanisms will be able to review and conduct investigations when appropriate. 

  7. Violations will have specified judicial and non-judicial remedies and to compensate people for damages. This last point is significant: recent news stories have documented the differences between the EU and US privacy laws and show there is still plenty of room for improvement here. The yet-to-be-finalized EU-US Data Privacy Framework (which was announced in March by President Biden) is one example of where common ground is needed, for example.  

One issue is that the agreement isn’t legally binding. How the member states will resolve their differences and limit government surveillance isn’t clear, but at least this is a good start. 

Another issue is that members of the various member states’ intelligence agencies were not a party to any of these discussions, which is where potential surveillance abuses have occurred in the past (thank Edward Snowden) and could originate in the future. Finally, the OECD’s own Civil Society Information Society Advisory Council issued this somewhat frosty letter complaining that the agreement didn’t go far enough and that the council was shut out of most of the discussions leading up to its adoption.

Further reading:
A 2022 update on data privacy legislation
Should we require governments to share their data with the public by default?

--> -->